summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorErik Romijn <eromijn@solidlinks.nl>2014-05-17 11:29:08 +0200
committerErik Romijn <eromijn@solidlinks.nl>2014-05-19 19:16:45 +0200
commitba5ddf7aed542d25f0fdb25a04d87305de0f3972 (patch)
tree5ae62b2434ee0dcac50c1e18801812a8cd42760c
parent3b765029f04a43a2ba432936553e33d7c4a4ce29 (diff)
Fixed #22638 -- Changed CookieWizardView to ignore invalid cookies
-rw-r--r--django/contrib/formtools/exceptions.py6
-rw-r--r--django/contrib/formtools/tests/wizard/test_cookiestorage.py3
-rw-r--r--django/contrib/formtools/wizard/storage/cookie.py10
-rw-r--r--docs/releases/1.8.txt8
4 files changed, 9 insertions, 18 deletions
diff --git a/django/contrib/formtools/exceptions.py b/django/contrib/formtools/exceptions.py
deleted file mode 100644
index f07ac9f745..0000000000
--- a/django/contrib/formtools/exceptions.py
+++ /dev/null
@@ -1,6 +0,0 @@
-from django.core.exceptions import SuspiciousOperation
-
-
-class WizardViewCookieModified(SuspiciousOperation):
- """Signature of cookie modified"""
- pass
diff --git a/django/contrib/formtools/tests/wizard/test_cookiestorage.py b/django/contrib/formtools/tests/wizard/test_cookiestorage.py
index 4c1ff97475..e5377e9959 100644
--- a/django/contrib/formtools/tests/wizard/test_cookiestorage.py
+++ b/django/contrib/formtools/tests/wizard/test_cookiestorage.py
@@ -1,6 +1,5 @@
from django.test import TestCase
from django.core import signing
-from django.core.exceptions import SuspiciousOperation
from django.http import HttpResponse
from django.contrib.auth.tests.utils import skipIfCustomUser
@@ -25,7 +24,7 @@ class TestCookieStorage(TestStorage, TestCase):
self.assertEqual(storage.load_data(), {'key1': 'value1'})
storage.request.COOKIES[storage.prefix] = 'i_am_manipulated'
- self.assertRaises(SuspiciousOperation, storage.load_data)
+ self.assertIsNone(storage.load_data())
def test_reset_cookie(self):
request = get_request()
diff --git a/django/contrib/formtools/wizard/storage/cookie.py b/django/contrib/formtools/wizard/storage/cookie.py
index 9bf6503f18..0602a491b8 100644
--- a/django/contrib/formtools/wizard/storage/cookie.py
+++ b/django/contrib/formtools/wizard/storage/cookie.py
@@ -1,8 +1,5 @@
import json
-from django.core.signing import BadSignature
-
-from django.contrib.formtools.exceptions import WizardViewCookieModified
from django.contrib.formtools.wizard import storage
@@ -16,12 +13,7 @@ class CookieStorage(storage.BaseStorage):
self.init_data()
def load_data(self):
- try:
- data = self.request.get_signed_cookie(self.prefix)
- except KeyError:
- data = None
- except BadSignature:
- raise WizardViewCookieModified('WizardView cookie manipulated')
+ data = self.request.get_signed_cookie(self.prefix, default=None)
if data is None:
return None
return json.loads(data, cls=json.JSONDecoder)
diff --git a/docs/releases/1.8.txt b/docs/releases/1.8.txt
index 6b0cb85058..21864aa3c2 100644
--- a/docs/releases/1.8.txt
+++ b/docs/releases/1.8.txt
@@ -45,7 +45,13 @@ Minor features
:mod:`django.contrib.formtools`
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-* ...
+* A :doc:`form wizard </ref/contrib/formtools/form-wizard>` using the
+ :class:`~django.contrib.formtools.wizard.views.CookieWizardView` will now ignore
+ an invalid cookie, and the wizard will restart from the first step. An invalid
+ cookie can occur in cases of intentional manipulation, but also after a secret
+ key change. Previously, this would raise ``WizardViewCookieModified``, a
+ ``SuspiciousOperation``, causing an exception for any user with an invalid cookie
+ upon every request to the wizard, until the cookie is removed.
:mod:`django.contrib.gis`
^^^^^^^^^^^^^^^^^^^^^^^^^^